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Abstract 



We give all the polynomials functions of degree 20 which are APN 
over an infinity of field extensions and show they are all CCZ-equivalent 
to the function a:^, which is a new step in proving the conjecture of Aubry, 
McGuire and Rodier. 

> 

OO ' Keywords: vector Boolean functions, almost perfect nonlinear functions, 

CO I algebraic surface, CCZ-equivalence. 

csj ! 1 Introduction 

' Modern private key crypto-systems, such as AES, are block cipher. The security 

of such systems relies on what is called the S-box. This is simply a Boolean 
function / : F2" — > F2" where n is the size of the blocks. It is the only non 
linear operation in the algorithm. 

One of the best known attack on these systems is differential cryptanalysis. 
. Nyberg proved in [13] that the S-boxes with the best resistance to such attacks 

are the one who are said to be Almost Perfectly Non-linear (APN). 

Let g = 2". A function / : — >• is said APN on F, if the number of 
solutions in F^ of the equation 

fix + a) + fix)^b 

is at most 2 for all a, 6 S Fg, a ^ 0. The fact that F^ has characteristic 2 
implies that the number of solutions is even for any function / on F^. 

The study of APN functions has focused on power functions and it was 
recently generalized to other functions, particularly polynomials (Carlet, Pott 
and al. [5, 7, 8]) or polynomials on small fields (Dillon [6]). On the other hand, 
several authors (Berger, Canteaut, Charpin, Laigle-Chapuy [2], Byrne, McGuire 
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[4] or Jcdlicka [10]) showed that APN functions did not exist in certain cases. 
Some also studied the notion of being APN on other fields than (Leducq 
[12]). 

Toward a full classification of all APN functions, an approach is to show that 
certain polynomials are not APN for an infinity of extension of F2. 

Hernando and McGuire showed a result on classification of APN functions 
which was conjectured for 40 years : the only exponents such that the monomial 
x'^ is APN over an infinity of extension of F2 are of the form 2* + 1 or 4* — 2* + 1. 
Those exponents are called exceptional exponents. 

It lead Aubry, McGuirc and Rodicr to formulate the following conjecture: 

Conjecture: (Aubry, McGuire and Rodier) a polynomial can be APN for 
an infinity of ground fields Fg if and only if it is CCZ-equivalent (as defined by 
Carlct, Charpin and Zinoviev in [5]) to a monomial a;** where d is an exceptional 
exponent. 

A way to prove this conjecture is to remark that being APN is equivalent 
to the fact that the rational points of a certain algebraic siirfacc X in a 3- 
dimensional space linked to the polynomial / defining the Boolean function are 
all in a surface V made of 3 planes and independent of /. We define the surface 
X in the 3-dimensional affine space by 

^" {x + y){x + z){y + z) 

which is a polynomial in Wg[x,y, z]. When the surface is irreducible or has 
an irreducible component defined over the field of definition of /, a Weil's type 
bound may be used to approximate the number of rational points of this surface. 
When it is too large it means the surface is too big to be contained in the surface 
V and the function / cannot be APN. 

This way enabled Rodier to prove in [14] that when the degree of / is equal 
to 4e with e = 3 (mod 4) and (p is not divisible by a certain form of polynomial 
then / is not APN for an infinity of extension of Fg. He also found all the APN 
function of degree 12 and proved they are all CCZ-equivalent to x^. 

To continue in this way, let's get interested in the APN functions of degree 
20 which were the next ones on the list. The main difference in this case is that 
e = 1 (mod 4). We got inspired by the proof of Rodier in [14] but we had an 
other approach using divisors of the surface X. This was due to the fact that 
some of the components of X are no longer irreducible in our case. 

Then we were able to obtain all the APN functions of degree 20 by calcu- 
lation. The conditions of divisibility by the polynomials we obtained made the 
first part of our work, we had to work on the quotient after to obtain the final 
forms of the functions. 

The second part was to prove that all were CCZ-equivalent to x^. 

This work has been done with Frangois Rodier as adviser. 
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2 The state of the art 



The best known APN functions are the Gold functions +^ and the Kasami- 
Wclch functions by These 2 functions arc defined over F2 and they are 

APN on any field F2™ if gcd{m,i) = 1. Aubry, McGuire and Rodier obtained 
the following results in [1]. 

Theorem 1 (Aubry, McGuire and Rodier, [1]) If the degree of the poly- 
nomial function f is odd and not an exceptional number then f is not APN over 
Fqn for all n sufficiently large. 

Theorem 2 (Aubry, McGuire and Rodier [1]) If the degree of the polyno- 
mial function f is 2e with e odd and if f contains a term of odd degree, then f is 

not APN over Wqn for all n sufficiently large. 

There arc some results in the case of Gold degree d = 2* + 1: 
Theorem 3 (Aubry, McGuire and Rodier [1]) Suppose f {x) = x"^ + g (x) 

where deg (g) ^ 2*^"'^ + l . Let g (x) = S^=o • Suppose moreover that there 

exists a nonzero coefficient Oj of g such that (f>j [x.y.z) is absolutely irreducible 
(where <pj [x, y, z) denote the polynomial (j) {x, y, z) associated to ). Then f is 
not APN over F^n for all n sufficiently large. 

And for Kasami degree as well: 

Theorem 4 (Ferard, Oyono and Rodier [9f) Suppose f [x) = x'^ + g{x) 
where d is a Kasami exponent and deg (51) < 2^*^"^ — 2*^"^ + 1. Let g{x) = 

^^^Q ~ OjX^ . Suppose moreover that there exist a nonzero coefficient Oj 

of g such that <pj {x, y, z) is absolutely irreducible. Then <p {x, y, z) is absolutely 
irreducible. 

Rodier proved the following results in [14]. We recall that for any function 

/ : Fg — >■ Fg we associate to / the polynomial (j) {x, y, z) defined by: 

f{x) + f{y) + f{z) + f{x + y + z) 



<ix,y,z) 



{x + y){x + z) {y + z) 



Theorem 5 (Rodier [14]) If the degree of a polynomial function f is even 
such that deg (/) = 4e with e = 3 (mod 4), and if the polynomials of the form 

{x + y){x + z) {y + z) + P, 

with 

P {x, y, z) — c\ [x?' + + z^) + C4 (xy + xz + zy) + bi {x + y + z) + d, 

for ci,Ci,bi,d € FgS, do not divide (j) then f is APN over F^™ for n large. 

There are more precise results for polynomials of degree 12. 

Theorem 6 (Rodier [I4]) If the degree of the polynomial f defined over Fg 
is 12, then either f is not APN over Fgn for large n or f is GCZ equivalent to 
the Gold function . 
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3 New Results 



Wc have been interested in the functions defined by a polynomial of degree 20. 

The main difference with the case already stiiclied is that, when e = 5, 
0e (x, y, z) (where 0,. (.x, y, z) denote the polynomial (p (x, y, z) associated to x'^) 
is not irreducible. So we had to detail more cases in the proof and use divisors 
on the surface X. And then obtained the following results : 

Theorem 7 // the degree of a polynomial function defined over Fg is 20 and if 
the polynomials of the form 

{x + y){x + z){y + z) + Pi 

with Pi G Fq3 [x, y,z] and Pi{x, y, z) = ci(x^ + 2/^ + z"^) + Ci{xy + xz + yz) + 
hi{x + y + z) +d 
or 

with P2 = a{x + y + z) + b 

do not divide (f) then f is APN over Fg^ for n large. 

Theorem 8 // the degree of the polynomial f defined over Fg is 20, then either 
f is not APN over Fgn for large n or f is CCZ equivalent to the Gold function 
x\ 



4 Preliminaries 

The following results are needed to prove the theorem 7 All the proofs are in 
[14]. 

Proposition 1 [14]The class of APN functions is invariant by adding a q- 

affine polynomial. 

Proposition 2 [14]The kernel of the map 

. ^ f{x)+f{y) + f{z) + f{x + y + z) 
{x + y){x + z) {y + z) 

is made of q-affine polynomials. 

We define the surface X in the 3-dimensional afBne space Jk^ by 

<P[x,y,z)- + + + 

and we call X its projective closure. 

Proposition 3 [14] If the surface X has an irreducible component defined over 
the field of definition of f which is not one of the planes {x + y) {x + z){y + z) = 
0, the function f cannot be APN for infinitely many extensions ofWq. 



4 



Lemma 1 [11] Let H be a projective hyper- surface. If X n H has a reduced 
absolutely irreducible component defined over Fq then X has an absolutely irre- 
ducible component defined over Wq. 

Lemma 2 [1] Suppose d is even and write d = 2^e where e is odd. In X (1 H 
we have 

4>d = (t>e {x, y, {{x + y){x + z) {y -\- z)f' 

Lemma 3 [14] The function x-\-y (and therefore A) does not divide {x, y, z) 

for I an odd integer. 

Lemma 4 (p^ is not irreducible and we have 

<p5 = {x + ay + a^z) (x + a'^y + az) 

with a e F4-F2. 

Calculus is sufficient to prove this. 

5 Proof of theorem 7 

Let / : Fg Fq be a function which is APN over infinitely many extensions of 
Fq. As a consequence of proposition 11 no absolutely irreducible component of 
X is defined over Fg, except perhaps x-\-y = 0, x-\-z = Oovy-\-z = 0. 

If some component of X is equal to one of these planes then by sym- 
metry in X, y, and z, all of them are component of X, which implies that 
A= {x -\- y) {x -\- z) {y -\- z) divides (f). Let us suppose from now on that this is 
not the case. 

Let Hao is the plane at infinity of and X^o = X Ci Hoo ■ The equation of 
Xoo is 020 = which gives, using lemma 13 and 14 

(x + ay + a^z)* (x + a'^y + az)"^ = 

As the curve Xoc docs not contain any irreducible component defined over Fg, 
a ^ Fq and then q — 2" with n odd. 

Let Xq be a reduced absolutely irreducible component of X which contains 
the line x + y = in . The cases where Xq contains 2 or 3 copies of the line 
X + J/ = in Hao and where X^ contains one copy of the line x + j/ = and is 
of degree 1 are treated in [14] and do not difFcT in our case. So from now on we 
assume that Xq contains only one copy of the line x + y = and is at least of 
degree 2. 

Let di be the plane of equation (x + ay + a^z) — 0, d2 the plane of equation 
(x + a^y + az) = we denote Ci = d^f] H^o for i = 1, 2. Let Aq be the hue of 
equation x + y = in , A^ the line of equation y + 2; = in and A2 the 
line of equation x + z = in iJoo • 

Let us consider D the divisor associated to the hypcrplane section X D Hoc, 

so 

£) = 4Ci + 4C2 + 3Ao + 3Ai + 3^2 



5 



We now denote Xq the divisor associated to the hypcrplane section of Xq which is 
a sub-divisor of D of degree at least 2. We will denote 3Ci the divisor obtained 
from Xo by applying the permutation {x,y,z), X2 the divisor obtained from 
Xq by applying the permutation (x,z,y), X3 the divisor obtained from Xo by 
applying the transposition {x,y), X4 the divisor obtained from Xq by applying 
the transposition (x, z) and X5 the divisor obtained from Xq by applying the 
transposition [y, z). As (f) {x, y, z) is symmetrical in x, y and z we know that Xi 
is a subdivisor of D for i = 1, . . . , 5. The cases where Xq ^ 2Ao or Xq = Aq are 
already treated in [14] so we have to study the cases below. 

5.1 Case where Xq is of degree 2. 

i. If Xo = ^0 + Ai therefore from [14] 5.7 we have a contradiction with the 

fact that Xq is at most of degree 2. 

ii. If Xo = Ao + Ci, then Xi = Ai + d, X2 = A2 + X3 = Aq + Cj, 
X4 = Ai + Cj, X5 = A2 + Cj with j ^ i. As seen in [14] the group < 
p >= Gal (Fg3 /Fg) acts on Xq and as Xq is not defined over Fg there exist 
sub- varieties Xq, X7 and Xs which have, respectively the associated divisor 
Xe, X7 and Xg. We have Xq = Ao + Ci, Xr = Ai + Ci and Xs = A2 + Ci. 
Finally we have Xj > Z) which is a contradiction. 

5.2 Case where Xq is of degree 3. 

i. The case where Xq = Aq + Ai + A2 has already been treated in [14], this is 
the case where A + Pi divides ^. 

ii. If Xo contains 2 of the Ai from [14] 5.7 it contains the 3 and it is the same 
case than previously. 

iii. If Xo = Aq + 2Ci, then Xi = Ai + 2Cj and X2 = A2 + 2Ci, in this case 
Xq + Xi + X2 ^ D which is a contradiction. 

iv. If Xo = Aq + Ci + C2, then Xi = Ai + Ci + C2 and X2 ^ A2 + Ci + C2, 
X3 = A0 + C1+ C2, X4 ^ Ai + Ci + C2 and X5 = A2 + C1+ C2. Then 
^ Xi > Z) which is a contradiction. 

5.3 Case where Xq is of degree 4. 

i. If Xq = Ao + A1+A2+ Ci, then Xi = Aq + Ai + A2 + Ci, X2 = Aq + 
A1+A2 + Ci, X3 = A0+A1+A2+ Cj, X4 = AQ + A1+A2 + Cj and 
X5 = Ao + Ai + A2+ Cj . Then ^ Xj > D which is a contradiction. 

ii. If Xo contains 2 of the Ai from [14] 5.7 it contains the 3 and we are in the 
same case than in i). 

iii. If Xq = Aq + 3C^, then Xi = Ai -|- 3Ci and X2 = A2 -|- 3Ci. Then D 
which is a contradiction. 
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iv. If Xo = Ao + 2C, + Cj then Xi = Ai + 2C^ + Cj and X2 = A2 + 2Cj + Cj, 
with j i. Then > -D which is a contradiction. 

5.4 Case where Xo is of degree 5. 

i. li Xo = Ao + 2 (Ci + C2), then Xi = + 2 (Ci + C2) and ^2=^2 + 
2 (Ci + C2). Then > which is a contradiction. 

ii. If Xo = Ao + 3Ci + Cj, j ^i,Xi= Ai+ + Cj and X2 = A2 + SQ + Cj. 
Then ^ D which is a contradiction. 

iii. If Xo = ^0 + 4Cj, then Xi = Ai + ACi then Xo + Xi ^ D which is a 
contradiction. 

iv. If Xo contains 2 of the Ai from [14] 5.7 it contains the 3 and we will treat 
those cases in the following points. 

V. If Xo = Ao+ Ai+ A2 + 2Ci then Xi = ^0 + ^1 + -42 + 2Ci and X2 = 
^0 + ^1 + ^2 + 2Ci. Then ^ Xj > Z) which is a contradiction. 

vi. The only case left is when Xq = ^0 + ^1 + ^2 + + C2 . As seen in [14] 
the group < p >= Gal (jFqS /F,) acts on Xq and as Xo is not defined over 
Wg there exist sub- varieties Xq, X-j and Xg which have, respectively the 
associated divisor Xg, X7 and Xg. We have Xg = ^0 + ^1 + ^2 + C*! + C2, 
X7 = Ao + Ai + ^2 + Ci + C2 and Xs = ^0 + ^1 + ^2 + Ci + C2. It remains 
the sub-divisor Xg = Ci + C2. Therefore ^ Xi = £> and the form of ^ is : 

,^ = ((/)5 + R) {Ac^^ + Q) + P (Q)) {Acl>^ + p" (Q)) 

with R a polynomial of degree 1 such as (^5 + i? is not irreducible, Q a 
polynomial of degree 4 and p the generator of Gal (F^s /Fg) . 

It is useless to consider the cases where Xo is of degree more than 5 as we obtain 
2 other divisors of the same degree from Xq and D is of degree 17. Therefore it 
is sufficient to prove the theorem 7. 

6 Proof of theorem 8 

We have the two following cases to study: 
6.1 Case where A-^Pi divides 0. 

If Pi divides 4) then {A + Pi) {A + p (Pi)) {A + p^ (Pi)) divides </> too (see [14]. 
By calculus (see Appendix 1) we can state that: 

• Pi = Ci05 + cf . 

• The trace of ci in F^s is 0. 
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• {A + Pi) {A + p (Pi)) (A + p2 (p^)^ is the polynomial </> associated to L {xf 
where L {x) = x {x + Ci) {x + p (ci)) (x + (ci)). 

• We have / = L [x)^ {l (a;)^ + +a\QX^^ + ai,x^ + a^x'^ + a2x'^ +a\x + aQ 
where a, ao, a\, a^, a^, as, aie € ^g- 

By proposition 9 / is equivalent to L (x)^ + aL (x)^ . As tr (ci) = 0, L (x) is 
a g-afhne permutation hence / is CCZ-equivalent to x^ + ax^ . 

By theorem 3 / cannot be APN over infinitely many extensions of if 
a 7^ 0. Hence o = and / is CCZ-equivalent to x^, which is a gold function. 

6.2 Case where P2 divides 0. 

If P2 divides (j) then, by calculus (see Appendix 2), we obtain that / = (a;^° + ax^^ + bx^) + 
aiQX^^ + asx^ + a4x'^ + a2x'^ + aix + ao, where a, 6, ao, ai, 02, 04, ag, aie € Fg. By 
proposition 9 / is equivalent to (a;^ + ax'^ + bx^ . Therefore / can be written 
f {x) = L (x^) with L (x) = + ax^ + bx which is a permutation. Hence, / is 
CCZ-equivalent to x^. 

In conclusion, we proved that if / (x) is a polynomial of Fq of degree 20 which 
is APN over infinitely many extensions of F,, then f {x) is CCZ-equivalent to 
xK 
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7 Appendix 

In this part we give the details of the calculus we made in order to state the 
theorem 8 We just use the fact that Pi or P2 divides cj) and it gives us conditions 
on the coefficients of Pi or P2 and (j). As is a symmetrical polynomial in x, y, z 
we can write it using symmetrical functions si = x-\-y + z, S2 = xy + xz + yz and 
S3 = xyz. We recall that is the polynomial (f> associated to and therefore 
(j) {x, y, z) the polynomial associated to / {x) — X^iLo '^i^^ ^'^ written cj) = 
ai4>i- Denoting = x' +y' + z\ we have pi = siPi-i + S2Pi-2 + ssPis. We 
remark that (pi — tL^x and that A = S1S2 + s^. 

The calculus were made on the software Sage and you can find the sheet at 



the following adress: http://sagenb.org/homc/pub/5035 



7.1 Case where A + Pi divides 0. 

We will write P for Pi in this section in order to make the calculus more readable. 

UA + P divides (p then {A + P){A + p (P)) {A + (p)) is of degree 9 and 
divides 4> too (see [14]). We write 

(A + P) {A + piP)){A + p^ (P))^^P,, 

1=0 
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where is the term of degree i of {A + P){A + p (P)) (A + (P)) . 

As {A + P){A + p (P)) [A + p^ (P)) divides </> there exists a polynomial Q 
of degree 8 such as 

</.= (A + p) (A + p(P))(A + p2 (P))o 

and we write 

8 
i=0 

where Qi is the term of degree i oiQ. 

7.1.1 Degree 17 

We put = 1 and we have : 

4>20 = PdQs- 

As Pg = A^ we have Qg = 

7.1.2 Degree 16. 

We have 

aigcpw = P9Q7 + PsQa- 
As Ps = A'^{s'f tr(ci) + S2 tr(c4)), where tr (cj) is the trace of ci, it gives us 

aMig = A^Qr + A^cjiHsl tr(ci) + .S2 tr(c4)). 

As 019 is not divisible by A (by lemma 13) so oig = and 

AQr = (f)i{sltv{ci) + S2tv{c4)). 

Wc know that A is prime with tr(ci) + S2 tr(c4) because (x+y) does not divide 
this polynomial, and A does not divide either 0| which implies Qr = Ps = 
and tr(ci) = tr(c4) = aig = 0. 

7.1.3 Degree 15. 

We have 

ai8'/>i8 = ai8(^0g) = PgQe + PsQr + PtQs- 
Knowing that Ps = Qt = we obtain 

aisiA4>l) = PqQq + PrQs = ^^Qe + ^Pr- 
We also know that 

4=(sl + s,)' = sl + st 
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and 

Pr = A {sfqi (ci) + s^qi (04) + S2?5 (ci, C4)) + A'^si tr (61) 

denoting 

qi (ci) = Cip (ci) + Cip^ {ci) + p (q) p2 (c) and 

g5(Cl,C4) = Ci (p(c4) +P^(C4))+C4 (p(ci) + p2(ci))+/9(ci)/92(c4)+p(c4)p^ (Ci). 

So 

ai809 = ^^Qe + <t)t {stqi (ci) + 5291 (c4) + SiS2(75 (ci, C4) + Asi tr (61)) , 

hence A divide ai8</'g + </'| (sfiji (ci) + 52(71 (04) + s\s2q5 (ci, C4)). As ^ = S1S2 + 
S3 the polynomial ai8(/)| + (/)| (sf?! (ci) + 52?! (^4) + SiS2'?5 (ci,C4)) cannot con- 
tain monomial in sj^ or therefore Oig = (7i (ci) = qi (C4). 

Then A divides oig ((/)| + (/>|) + 0|s?S2g5 (01,04). As 0^ _^ 0| = A'' and A 
does not divide (/)| we have 55 (01,04) = 0. Replacing in the first equation we 
have 

axiA^ = A^QQ+A(j>isi (tr (61)). 

So 

aiiA^ + AQQ=(t>lsi{iY{bi)), 
as A does not divide (/>|si, tr (61) = and Qe = clxsA^. 

7.1 A Degree 14. 

We first prove that Ci =04. 

We have 

aiTfAi? = -P9Q5 + . • • + PeQi = P9Q5 + PeQs- 

We know that 

Pe = A^N{d)+A{slq5{ci,bi) + siS2q5ici,bi))+slN{ci)+sls2qi{ci,C4)+slslq4{c4,ci)+slN{ci) 
where 

A''(a) = op(a)p^(a)which is the norm ofainFg.g4(a, 6) = ap{a)p^{b)+ap{b)p^{a)+hp{a)p^{a).q^{a,h) 

for all a, 6 in F^a. 
We can write 

Pe = ^'tr(d) + A (slq^iciM) + siS2g5(ci, 61)) + P^p{Pi)p\P^), 
where Pg = ciSi + 0452- So we can deduce that 

air(^i7 = A'^Q^+cj)! {AHrid) + A (s?g5(ci,fei) + 515295(01,61)) + Pg P(^6 )p'(^6 )) ■ 
We now have A divides ai7^i7 + ^|Pg*p(Pg )p^(Pg). In addition, denoting s = 

x + y, 

(x + zf(j)5 = {x + zf + s{x^y + x^z + yz^ + z^) = (a; + zf + si?i 



11 



and 

(x + zf(l)n = {x + zf^ + si?2, 

where R\ is a polynomial of degree 3 and R2 is a polynomial of degree 15. As 
{x+zfA = {x+zfs{x+z+s) divides an{x+zf4>i7+Pip{PS)p'{P^){x+zf<i)i 
which is equal to 

ai7(a; + zf {x"^ + z^"" + + PgX^'e )p'(^6 ) {^^ + + • (1) 
Therefore we have Pg* = ci(s^ + z^) + C4(x^ + s(x + z)) = ci^:^ + 040;^ + siis = 
As s divides (1) the constant term in s vanishes : 

{x + (ai7(a; + + p{Pr)p\Pr)) = 0, 

then 

ai7(x + + P6"p(pr)p2(pr) = 0, 

hence 

ai7(a; + zf + (040;^ + Ci2;^)(p(c4)a;^ + p{c{)z^){p^ {ca)x^ + ^^(ci)^;^) = 0, 

so 

an{x + z)^ + (Vclx + ycr2)(p(v^)a; + p{yfc{)z){p^{^^^x + ^^(^01)2;) = 0. 

The polynomial x + z divides {^^Jclx + ^Jc\z){piy^Jc\)x + + 
P^(y^)z) so it divides one component and then c\ =04. 
We now calculate Pg and Q5. 

As ci = C4 we have Pg = ^^tr(d) + Acji^siqs (ci,6i) + ^5A'^(ci), so from 
ai7<pi7 = P9Q5 + PeQs we can deduce that A divides 017^17 + qs (ci) cpl- Hence 
the coefficient of the monomials s}^ in 017^17 + N (ci) which is 017 + N (ci), 
must be equal to 0, so an = N (ci). 

Remarking that (^17 + (fl = A'^<p5(l)g we have A divides <p5Siq5 (ci,6i). As 
05 si is not divisible by A we have (ci, 6i)=0. So now we have 

A^Q^ = A^cPi tr [d) + 017^^509, 

which gives 

^Qs = </'5 tr (d) + ai74>54)Q. 

Using the same argument as precedent we have tr (d) = N (ci) and then = 
ai7^^^ = ai7^V5 and Pg = {A^ + 4). 
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7.1.5 Degree 13 

We use 

= 0169^16 = P9Qi + -PsQs + PlQ^ + P&Ql + P5Q8 
= A^Q4 + alsAm + 4P5, 

with 

-P5 = g4(ci, 61) {si + sjsi) + A {qi{bi)sl + 95(01, d) (sf + S2)) ■ 

As A^ does not divide P5(f)f, so P5 = and 94(01,61) = 91(61) = 95(01, d) = 0. 
We deduce 

Qi = alg(l)l. 

7.1.6 Degree 12 

We have 

015015 = P9Q3 + PiQi + P7Q5 + PeQe + P5Q7 + P4Q8 
= A^Qs + aisaiT^Vs + a^anA^ {A^ + (f)l) + P^c^f, 

with 

Pi = 94(61, ci) (4 + sjs^) + 94(ci, d)(4 + sl) + q5{bi,d)Asi ^Hi + AG^, 

where = 94(61, ci)(sf + s\s2) + 94(01, d)(sf + s^) and G4 = 95(61, (i)si. So 
A\HA(j4, + ai5(/'i5- As 

i?4</'5+ai5</'i5 = ■'n (ai5 + 94(61, ci) + 94(01, (i))+s}°S294(6i,ci)+ai5S^S3+SiS2 («i5 + qi{cl,d))+s\s\ (94(61,01 
the coefficients of and must be and so 

^15 + 94(61, cl) + 94(01, d) = andai5 + 94(01, d) = 03094(61, ol) = 0. 
Replacing in the equation we now have 

Hi(j)l + ai5(/>i5 = ai5 {slsz + + ^i^s + si-A-'^z + 4) = ai5 (015 + <PI) , 

but A does not divide ^15 + so 015 = so if4 = 0. 
Hence 

= A^Qa + aiianA^(j)l + amanA^ {A^ + 0|) + AGiO^. 

So A divides G4, but the degree of G4 is less than or equal to 1 so G4 = it 
implies 95(61, d) = so P4 = 0. 
We conclude 

Qz = aisanA. 
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7.1.7 Degree 11. 

We have 

ai4h4 = P9Q2 + PsQs + P7Q4 + PeQs + P5Q6 + P4Q7 + P3Q8, 



so 

ai4^(0^ + slsl) = A^Q2 + alsA4>t + al^Acj)^ [A^ + 4>l) + P^cj>l. (*) 

So A divides P3. But P3 = N{bx)s\ + g6(ci, 61, d))si(/)5 + q\{d)A so iV(6i) = 

(76 (ci ,bi,d) =0 with 

geCci, 61, d) = 6ip(ci)p2(d)+6ip(d)p2(ci)+cip(foi)p2(d)+cip(d)p2(6i)+dp(ci)p2(;,^)+c;p(ci)p2(6i). 

As iV(6i) = 0,61 = 0. 

When wc replace in the equation (*) we have 

A^{Q2 + ai7(/)5) = A ((/)^ (ai4 + afg + a?7 + + ai4sl4) ' 

so ^ divides (/)| (014 + afg + a^y + (7i(fi))+ai4S^s§ = (sf+sf) (ai4 + o'ls + afy + qi{d)) + 
ai4sfs3, then 014 + a^g + afy + q'i(c?) = 0, with the same argument as before on 
the coefRcients of the monomials sf and S2, therefore 014 — because A does 
not divide sfs^. 
We obtain 

Q2 = al^(j)5, 

and 

P3 = (a?7 + a?g)A 

7.1.8 Degree 10. 

We have 

ai3<^i3 = P9Q1 + P&Q2 + P7Q3 + PqQa + -P5Q5 + P4Q6 + -P3O7 + P2Q8 

= A^Qi + aira^g^Vs + ana\&(l>i (^^ + ^^f) + "/-s (si94 (rf, cl) + 5294 {d, cl)) , 
so A divides aisc^iia+^g (aiyafg + (rf, cl)) = ais {s\s\ + s^^s + S2S3 + sis|) + 
^5 (cH3 + fliTflis + 94 ("^i ^l)) • ^i*'^ same argument as before on the coeffi- 
cients of the monomials sf and we have 

ai3 + aiTfl^g + 94 (d, cl) = 0. 

in addition, A does not divide s\s\ + S1S2S3 + S1S2S3 + sis\ so ais = and 
g4('i, cl) = ana\^. 
Now we have 

AQx = 0. 

So Qi = and P2 = anai^cj)^. 
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7.1.9 Degree 9. 

We have 

012012 = P9Q0 + PsQi + P7Q2 + PeQs + P5QA + PiQ^ + -P3Q6 + -P2Q7 + PiQ&, 
but = and as 61 = we have Pi = 0. So 

012^3 = A^Qo + al^a^^A4>l + al^a^^A {A^ + 4>l) + aisCafy + al^)A^, 
so Qo = ai2 + afg- 

7.1.10 Degree 8. 

We have 

aii0ii = PsQo + P7Q1 + P&Q2 + P5Q3 + P4Q4 + P3Q5 + -P2Q6 + P1Q7 + PoQs, 
which gives 

aii0ii = (Po + a?7)05- 
But 05 does not divide 0ii so an = et Pq = ^ly 

7.1.11 Conclusion. 

We now have the following systems: 

' tr(ci) = 

N{ci)+tT{d) = 

qh{ci,d) = 

< g4(ci,d) = 

q^{d)=ql{c^)+N{c^f 
qi{d,ci) = N{ci)ql{ci) 
_ N{d) = N{cif 

and 

ai8 = 91 (ci), ai7 = N{ci) = tr(d). 

Solving the system formed by the linear equations in d, p{d) , {d) , we obtain 
d = cf . We also have 61 = as bip (61) p"^ (61) = 0. Therefore 

P = C105 + C?, 

and 

<3 = 05+91 (ci)^^+^(ci)^05+gi(ci)^05+gi(ci)iV(ci)A+g3(ci)^05+ai2+?i(ci)^, 
therefore 

/ (a;) = x^°+ai8a;-^^+ai7a;^'^+ai6X-^^+ai2X-^^+ai8ai2a;^°+ai7ai2a;^+a8a;^+(ai8 + "isC'i? + «i8^*i2 + o-isaf^ + al 
Putting L (x) =x{x + ci){x + p (ci)) [x + p^ (ci)) we have that {A + P){A + p (P)) (A + p^ (P)) 
is the polynomial associated to L [xf wich leads us to study the divisibility 
of / by L {x)^- We have in our case f = L (x)^ (a;)^ + ai2^ + aigx^^ + a^x^ + 
a^x^ + a2x'^ + aix + aQ. 
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7.2 Case where P2 divides 0. 

Wc will write P for P2 in this section in order to make the calculus more readable. 
From theorem 7 we have 

<j>={<j>5 + R) + Q) iA^5 + P (Q)) (^<^5 + (Q)) , 

where i? is a symmetrical polynomial of Wq of degree 1 and Q is a sym- 
metrical polynomial of F^a of degree 4. We will denote R = asi + b and 

{A<l>5 + Q) {A(t>5 + p{Q)) + iQ)) = El=o Qi- We will identify degree 
by degree the expression of ^. 

7.2.1 Degree 17. 

We have 



(t>20 = A?4>1 = 4>5Ql5, 



so Qi5 = A^cPl 



7.2.2 Degree 16. 

We have 

ai90i9 = 05Qi4 + asiQi5 = 4>5Qi4 + asiA^cpl, 

which implies (p^ divides 4>ig but this is not the case hence aig — and Q14 = 
asiA^(f)l. 

7.2.3 Degree 15. 

We have 

ai8<^i8 = (l>5Qi3 + asiQi4 + bQi4 = (j)5Qi3 + aslA^(j)l + 6^^(^5, 

which implies (j)^ divides but this is not the case hence ais = and Q13 = 
A^ (a^sfc^s + &</>!). 

7.2.4 Degree 14 and 13 

We have 

ai7(j)i7 = 05<5i2 + asiQis + 6Q14, (2) 

and 

ai6?!'i6 = = (PbQii + asiQi2 + bQis = (psQn + asiQi2 + bA^ (a^sf (^5 + H5) , 

(3) 

(2) implies that Q12 is divisible by ^5 or a = 0. Lets assume a ^ 0. Prom (2) 
we have 

=Qi2+a^slA'^. 

05 
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(we can show easily that 05 divides <pn by calculus). As 05 divides Q12 it 
divides ai7^ + a^sfA^ too. But 

ai7^ + a^slA^ = 01753 + -Ri, 

05 

so 017 = 0. As 05 does not divide sfA^ it means o = and Q12 = 0. We now 
have, in both case 

= (05 + 6) (flQi^ ■ 

We know that 05 + b is irreducible if 6 7^ ([11]), which is in contradiction with 
the fact that / is APN over infinitely many extension of Fg and then 6 = 0. 
We now have Q15 = ^^01, Q14 = Q13 = Q12 = Qii = 0. 

7.2.5 Degree 12 to 8. 

We have 

0'15'f'l5 05QiOj 

as 05 does not divide 0i5 we have 015 = and Qio = 0- The same method 
can be applied until the degree 8. It gives 014 = 013 = 012 = on = and 
Q9 = <38 = Q7 = = 0. 

7.2.6 Degree 7. 

We have 

aio0io = aio^05 = <350io, 

so Q5 = 010^05- 

7.2.7 Degree 6. 

The same argument than in section 7.2.5 gives og = and Q4 = 0. 

7.2.8 Degree 5. 

We have 

0808 = = (5305, 

therefore Qs = 0. 

7.2.9 Degree 4 and 3. 

The same argument than in section 7.2.5 gives 07 = oe = and Q2 = Qi = 0. 
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7.2.10 Degree 2. 

We have 

therefore Qo = ci5- 

7.2.11 Conclusion. 

In conclusion we have 

4> = 4>5 {A^(l>\ + 010^^5 + 05) = <?^20 + a'w4>w + a5(f>5, 
which gives / (a;) = x^^ + uiqx^^ + aiox^° + asx^ + a5X^ + a^x'^ + a2x'^ + aix + Uq. 
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